Sunday, March 4, 2018

Which VPN Services Keep You Anonymous in 2018? | TorrentFreak

Using a VPN service is a great way to protect your privacy online.

However, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.

This is the main reason why we publish a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects.

It’s worth keeping in mind though that not all VPN protocols and encryption algorithms are equally secure. PPTP is known to be vulnerable for example, and pre-shared keys are also a risk. We ask all VPN providers what their best recommendation is, but we encourage readers to fully research all options.

This year’s questions are as follows:

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?

3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?

4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?

6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?

7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?

9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)

12. What countries are your servers physically located? Do you offer virtual locations?

—-

Below is the list of responses from the VPN services in their own words. These are not endorsements and trust is crucial. Providers which didn’t answer our questions directly, blocked certain traffic, or are logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.

Private Internet Access

VPN review1. We do not store any logs relating to traffic, session, DNS or metadata. We do not keep any logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.

2. Private Internet Access is operated by London Trust Media, Inc., with branches in the US and Iceland, which are a few of the countries that still respect privacy and do not have a mandatory data retention policy.

3. We have an active, proprietary system in place to help mitigate abuse.

4. At the moment we are using Google Apps Suite and Zendesk. However, we are in the process of migrating our support to Deskpro, an in-house self-hosted solution.

5. We do not monitor our users, and we keep no logs, period. That said, we do have an active, proprietary system in place to help mitigate abuse.

6. Every court order is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” We do periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. This is all driven based upon our commitment to privacy. All this being said, we do not log and do not have any data on our customers other than their signup e-mail and account username.

7. Yes, BitTorrent and file-sharing traffic are allowed and treated equally to all other traffic (although it’s routed through a second VPN in some cases). We do not censor our traffic because we believe in an open internet, period.

8. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Bitcoin Cash, Zcash, CashU, PaymentWall, and any major store-bought gift card and OKPay. Payment data is not linked nor linkable to user activity do to our no logs policy.

9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256.

10. Yes, our users gain access to a plethora of additional tools, including but not limited to:

(a) Kill Switch: Ensures that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route.
(b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could lead to IPv6 IP information coming out.
(c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon.
(d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
(e) MACE™: Protects users from malware, trackers, and ads.

11. We utilize our own bare metal servers in third-party data centers that are operated by trusted friends and, now, business partners whom we have met and on which we have completed serious due diligence. Our servers are located in facilities including 100TB, Choopa, Leaseweb, among others.

We also operate our own DNS servers on our high throughput network. These servers are private and do not log.

12. As of the beginning of 2018, we operate 3172 servers across 43 locations in 28 countries. For more information on what countries are available, please visit our network information page. All of our locations are physical and not virtualized.

Private Internet Access website

NordVPN

nordv1. We do not keep any logs nor timestamps that could allow our customers to be identified.

2. The registered company name is Tefincom co S.A., and it operates under the jurisdiction of Panama.

3.We have developed and implemented an automated tool that limits the maximum number of connections to six devices. We do not use any other tools.

4. We use Google Analytics and third-party ticket/live chat tools (Zendesk/Zopim). Google Analytics is used to improve our website and provide our users with the most relevant information. The ticket/live chat tool is used to provide the best support in the industry (available 24/7), but not tracking our users by any means.

5. We operate under Panama’s jurisdiction, where DMCA and similar orders have no legal bearing. Therefore, they do not apply to us.

6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our zero-log policy means that we don’t have any information about our users’ online activity. So far, we haven’t had any such cases.

7. Yes, we allow P2P traffic. We have optimized a number of our servers specifically for file-sharing; this way, we ensure that other servers, which are meant for streaming and other purposes, have uninterrupted speeds.

8. Our customers are able to pay via credit card, PayPal and Bitcoin. Our payment processing partners collect basic billing information for payment processing and refund requests, but it cannot be related to any Internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details with the user identity or other personal information.

9. The ciphers we use along with the OpenVPN and IKEv2/IPSec protocols have never been cracked. Therefore, both of these protocols are highly secure. For OpenVPN connection, we use the AES 256 CBC algorithm. IKEv2/IPSec ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys.

10. Yes, we do provide both an automatic kill switch and a feature for DNS leak protection.

11. We use a hybrid model, whereby we control some of our servers but also partner with premium data centers with strong security practices. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. We also have specific requirements for network providers to ensure highest service quality for our customers. We do have our own DNS servers, and all DNS requests go through those.

12. All of our servers are dedicated and located in the same countries we state they are – we do not offer virtual locations. At the moment, NordVPN provides more than 3000 servers in 59 countries. Full location list can be found at nordvpn.com/servers.

NordVPN website

ExpressVPN

expressvpnlogo1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data contents, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity. It is not possible to match a user to data points that we never possess.

2. Express VPN International Ltd. is a BVI (British Virgin Islands) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach.

3. To protect our customers’ privacy, we do not monitor or log any user activity on our network. We do however reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.

4. We use Zendesk for support tickets and SnapEngage for live chat support; we have assessed the security profiles of both and consider them to be secure platforms. We use Google Analytics and cookies to collect marketing metrics for our website and several externals tools for collecting crash reports (a setting that can be switched off in any of our apps). ExpressVPN is committed to protecting the privacy of our users, and our practices are discussed in detail in our comprehensive Privacy Policy.

5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy and anonymity are always preserved.

6. Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. As a general rule, we reply to law enforcement inquiries by informing the investigator that we do not possess any data that could link activity or IP addresses to a specific user. Regarding a demand that we log activity going forward: Were BVI law enforcement ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.

7. We do not believe in restricting or censoring any type of traffic. ExpressVPN allows all traffic, including BitTorrent and other file-sharing traffic (without re-routing), from all of our VPN servers.

8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, there is no way for ExpressVPN or any external party to link payment details entered on our website with any VPN activities.

9. ExpressVPN apps generally default to our recommended protocol for security and performance: OpenVPN UDP. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers.

10. Yes, ExpressVPN protects users from privacy and security leaks in a number of ways (for more info about leak protection, see our Privacy Research Lab). Our “Network Lock” feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios where other VPNs might leak.

11. Our VPN servers are hosted in trusted data centers with strong security practices. The data center employees do not have server credentials, and the server disks are fully encrypted to mitigate risks from physical seizure. Our policy of not collecting activity or connection logs also means that servers do not contain any data that could map users to specific activity.

We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS.

12. ExpressVPN has over 2,000 servers covering 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country — a physical footprint covering every continent save Antarctica, ensuring there are server locations near all users.

For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards for server security, reliability, and speed, we use virtual locations to still make it possible for users to assume IP addresses from those countries. These locations represent less than 3% of ExpressVPN’s server count, and the specific countries are published on our website here.

ExpressVPN website

Ipredator

1. No logs are retained that would allow the correlation of the user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.

2. The name of the company is PrivActually Ltd which operates out of Cyprus.

3. Real abuse is mitigated by meatware [humans]. User traffic is not monitored or inspected in any way. TCP/IP sessions are not limited individually, but by server, to 10 million established connections. Packet floods are dealt with by using adaptive packet rate limiters at the switch port level and kick in at 90k pps. The number of concurrent connections is limited by the VPN backend software.

4. There is no visitor tracking mechanism, not even passive ones analyzing the web server logs. IPredator runs its own mail infrastructure and does not use third party products like GMail. Neither do we use data hogs like a ticket system to manage support requests. IPredator sticks to a simple mail system and deletes old data after three months from the mailboxes.

5. Requests are evaluated according to the legal frameworks set forth in the jurisdictions the service operates in and we react accordingly. After receiving a request its validity is verified. DMCA takedown abuse using fake credentials seems to be all the rage these days.

6. A canary is maintained to indicate the current legal state of affairs. In case of a court order that forces us to enable log activity we would rather shut down the service than comply.

7. BitTorrent and other file-sharing traffic is allowed.

8. PayPal, Bitcoins, Payza, and Payson are fully integrated. Other payment methods are available on request. An internal transaction ID is used to link payments to the payment processor. We do not store any other data about payments associated with the user’s account. The systems dealing with payments have no connection to the part of the infrastructure that handles VPN connections. Frontend proxies are used to make sure user IP addresses do not show up in any of the backend systems.

9. IPredator provides config files for various platforms and clients that enforce TLS1.2 on supported systems. Ideally, the client negotiates ECDHE-RSA-AES256-GCM as a suite for the control and AES256 for the data channel. For further protection, detailed setup instructions and howtos are provided to our users.

10. Netsplice, IPredator’s cross-platform VPN client, has native support for various types of kill switches. You can kill a program, just put it to sleep, shutdown your machine or wipe your hard disk … it is up to you. Users can use this page to check for a number of leaks, not just DNS leaks.

11. We own every server, switch, and cable we use to provide the VPN service up to our uplink network. The machines are located in Sweden due to the laws that allow us to run our service in a privacy-protecting manner. If the situation should change we are able to move operations to a different country. The core for any privacy service is trust in the integrity of the underlying infrastructure. Everything else has to build upon that, which includes the DNS servers.

12. Sweden.

Ipredator website

TorGuard

1. No logs or timestamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a default shared IP configuration across all servers. Because there are no logs kept and multiple users sharing a single IP address, it is not possible to match any user with an IP and time stamp.

2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.

3. We utilize a number of highly customized scripts to monitor network performance and limit simultaneous connections through a radius-based authentication server.

4. We use anonymized Google Analytics data to optimize our website and Sendgrid for transactional email. TorGuard’s 24/7 live chat services are provided through Livechatinc’s platform. Customer support desk requests are maintained by TorGuard’s own private ticketing system.

5. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log and no time stamp policy and shared IP network – we are unable to forward any requests to a single user.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our shared IP network configuration and the fact that we do not hold any identifying logs or time stamps. TorGuard’s network was designed to operate with minimum server resources and is not physically capable of retaining such logs. There is no on/off switch to log activity so it would be impossible to comply with such a request. No, this has never happened.

7. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block, re-route, or limit any types of traffic across our network.

8. We currently offer over 200 different payment options. This includes all forms of credit card, PayPal, Bitcoin, cryptocurrency (e.g. Litecoin, Ethereum, Monero + many more), Alipay, WeChat Pay, UnionPay, 100+ Gift Card brands, and many other worldwide local payment options. No user can be linked back to account usage or IP assignments because we maintain zero logs across our network.

9. For best security, we advise clients to use OpenVPN and select the cipher option AES-256-GCM, with 4096bit RSA and SHA512 HMAC. We use TLS 1.2 on all servers with perfect forward secrecy enabled. For faster speeds and “obfuscated” Stealth VPN access, we suggest using OpenConnect SSL VPN with cipher option AES-256-GCM. TorGuard offers a wide range of VPN protocols, including OpenVPN, iKEV2, IPsec, SSTP, OpenConnect/AnyConnect, Stunnel, and Shadowsocks.

10. TorGuard’s VPN software provides strict security features by automatically disabling IPv6 and blocking any potential DNS or WebRTC leaks. We offer a full connection kill-switch that safeguards your VPN traffic against accidental disconnects and can hard kill your interfaces if needed, and an application kill-switch that can terminate specific apps if the VPN connection is interrupted for additional safety.

11. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by TorGuard staff. By default, the TorGuard VPN app uses private no log DNS on each VPN endpoint. The TG also app allows clients to modify their VPN session with a custom DNS entry of their choosing.

12. TorGuard currently maintains thousands of servers in over 55 countries around the world, and we continue to expand the network each month. All servers are physically located in the stated country of origin and we do not use any virtual locations.

TorGuard website

AzireVPN

azire1. No, we do not record or store any logs related to our services. No traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or any other kind of logs are stored. System logs are disabled. Anonymity of our users is very important to us as described in our Terms of Service.

2. The registered company name is Netbouncer AB and we operate under Swedish jurisdiction where there are no data retention laws that apply to VPN providers.

3. Our servers are running using Blind Operator mode which means we took extra security steps to ensure that we cannot monitor any traffic at all. Abuses like incoming DDoS attacks are usually mitigated with UDP filtering on the source port used by an attacker.

4. No, we do not rely on and refuse to use external third-party systems. We run our own email infrastructure and encourage people to use PGP encryption. Ticketing support system, website analytics (Piwik, with anonymization settings) and other tools are hosted in-house on open-source software. We have plans to replace some of these tools by solutions developed by ourselves.

5. We politely inform the sender party that we do not keep any logs and are unable to identify a user.

6. In the case that a valid court order is issued, we will inform the other party that we are unable to identify an active user or past user of our service while running as a Blind Operator, which is preventing live analysis of traffic. In that case, they would probably force us to handover physical access to the server, which is fine since they would have to reboot to gain any kind of access, and since we are running diskless in RAM – all data will be lost. So far, we have never received any court order and no personal information has ever been given away.

7. Yes, BitTorrent, peer-to-peer and file-sharing traffic is allowed and treated equally to any other traffic on all of our locations. We strongly believe in net neutrality.

8. As of now, we propose a variety of payments options including anonymous methods such as Bitcoin, Bitcoin Cash, Litecoin, Monero, Ethereum and some other cryptocurrencies (through CoinPayments) and cash money via postal mail. We also offer PayPal, credit cards (VISA, MasterCard and American Express through Paymentwall) and Swish. We do not store sensitive payment information on our servers, we only retain an internal reference code for order confirmation.

9. We recommend our users to use our new WireGuard servers available on Linux, some routers (LEDE/OpenWRT), and soon on Android.
– Data channel cipher: CHACHA20 with POLY1305 for authentication and data integrity
– Authenticated key exchange: Noise Protocol Framework’s Noise_IKpsk2, using Curve25519, Blake2s, and CHACHA20-POLY1305, a formally verified
construction.

Otherwise, we recommend OpenVPN with default configuration available in UDP and TCP modes. These settings offer the highest grade of security achieved through OpenVPN on all of our servers:
– Data channel cipher: AES-256-GCM (OpenVPN 2.4) or AES-256-CBC with HMAC-512 for authentication and data integrity (OpenVPN 2.3)
– Control channel cipher: TLS v1.2 using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 (AEAD)
– Authenticated key exchange: Diffie-Hellman method and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, re-keying every 120 minutes (can be lowered)
– Additional auth key: RSA with a 2048 bit key size
– Additional crypt key: RSA with a 2048 bit key size

10. We offer a new custom open-source VPN application called azclient, for all desktop platforms (Windows, macOS and Linux), with source code released on Github under the GPLv2 license, currently supporting OpenVPN. Our client is developed by a security expert and designed with ease of installation and use in mind, allowing users to connect to the VPN servers with only a few clicks. We plan to add a kill switch and DNS leak protection features to the client in the future.

11. We physically own all of our hardware, in all of our locations, including bare metal dedicated servers and switches, co-located in closed racks on different data centers around the world meeting our strict security criteria, using network dedicated links and carefully chosen providers for maximum network quality and throughput. We host our own non-logging DNS servers in different locations and provide DNSCrypt support for DNS requests encryption.

12. As of now, we operate across five locations including Canada, Spain, Sweden, United Kingdom and the United States. Moldova is planned later this
year, as indicated on our roadmap. There are no virtual locations.

AzireVPN website

HideIPVPN

hideipvpn1. Currently, we store no logs related to any IP address. There is no way for any third-party to match a user IP to any specific activity on the internet.

2. Registered name of the company is Server Management LLC and we operate under US jurisdiction.

3. A single subscription can be used simultaneously for three connections. Abuses of service usually means using non-P2P servers for torrents or DMCA notices. Also, our no-log policy makes it impossible to track who downloaded/uploaded any data from the internet using our VPN. We use iptables plugin to block P2P traffic on servers where P2P is not explicitly allowed. We block outgoing mail on port 25 to prevent spamming activity.

4. We use live chat provided by tawk.to and Google Apps for incoming email. For outgoing email we use our own SMTP server.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the datacenter or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which makes it impossible to track who downloaded any data from the internet using our VPN.

6. HideIPVPN may disclose information, including but not limited to, information concerning a client, in order to comply with a court order, subpoena, summons, discovery request, warrant, statute, regulation, or governmental request. But due to the fact that we have a no-logs policy and we use Shared IPs, there won’t be anything to disclose excepting billing details. This has never happened before.

7. This type of traffic is welcomed on our German (DE VPN), Dutch (NL VPN), Luxembourg (LU VPN) and Lithuanian (LT VPN) servers. It is not allowed on US, UK, Canada, Poland, Singapore and French servers as stated in our TOS – the reason for this is our agreements with data centers. We also have specific VPN plan for torrents.

8. Currently, HideIPVPN accepts following methods: PayPal, Bitcoin, Credit & Debit cards, JCB, American Express, Diners Club International, Discover. All our clients billing details are stored in WHMCS billing system.

9. SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems.

10. Yes, our free VPN apps have both features built in.

11. We don’t have physical control on our VPN servers. Servers are outsourced in premium data-center with high-quality tier1 networks.

12. At the moment we have VPN servers located in 10 countries – US, UK, Netherlands, Germany, Luxembourg, Lithuania, Canada, Poland, France and Singapore. As you can see number of available locations is steadily growing.

HideIPVPN website

Hide.me

hideme1. No, we don’t keep any logs. We have developed our system with an eye on our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.

2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all.

3. We do not limit or monitor individual connections. To mitigate abuse we deploy general firewall rules on some servers that apply to specific IP ranges. By design, one username can only establish one simultaneous connection.

4. Our landing pages, which are solely used for advertising purposes, include a limited amount of third-party tracking scripts, namely Google Analytics. However, no personal information that could be linked with the VPN usage is shared with these providers. We do not send information that could compromise someone’s security over email.

5. Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.

6. Although it has never happened, in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs and there is no way we could link any particular cyber activity to any particular user. In case we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us.

7. There is no effective way of blocking file-sharing traffic without monitoring our customers which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.

8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, PayPal, Credit Cards and Bank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can’t be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.

9. After all, modern VPN protocols that we all support – like IKEv2, OpenVPN and SSTP – are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer.

10. Our users’ privacy is of utmost concern to us. Our Windows client has the features such as Kill Switch, Auto Connect, Auto Reconnect etc which makes sure that the user is always encrypted and anonymous.

11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We operate 30+ server locations in 27 different countries. However we do not own physical hardware. There is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person can access our servers. Among our reputable partners are Leaseweb, NFOrce, Equinix and Softlayer.

12. Our servers are located in countries all over the world, among the most popular ones are Canada, Netherlands, Singapore, Germany, Brazil, Mexico and Australia. Below is the complete list of countries, alternatively you can view all available locations here.

Hide.me website

IVPN

ivpn1. No, not doing so is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. In addition, it is not within our interest to do so as it would increase our liability and is not required by the laws of any jurisdiction that IVPN operates in.

2. Privatus Limited, Gibraltar.

3. We use a few custom scripts (based on PSAD) to proactively detect and alert malicious activity. From a management perspective, we monitor our network using Zabbix. In the almost 10 years we’ve been operating its safe to say we’ve seen almost everything.

4. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. All our internal services run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary).

7. Yes, all file-sharing traffic is permitted and treated equally on all servers. We do encourage customers to use non-USA based exit servers for P2P as any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

8. We accept Bitcoin, Cash, PayPal and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in anyway to account usage or IP-assignments.

9. We provide RSA-4096 / AES-256-GCM with OpenVPN, which we believe is more than secure enough for our customers’ needs.

10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc.

11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log free DNS servers that are only accessible to our customers.

12. Please see https://www.ivpn.net/server-locations. We do not offer virtual locations.

IVPN website

Windscribe

1. We don’t keep any logs that can match a user to an IP and timestamp.

2. Windscribe Limited, Ontario (Canada) Corporation.

3. We store the total amount of bytes transferred in a 30 day period. This counter gets reset monthly and there is no historical usage. We block SMTP port 25 to prevent email spamming.

4. Everything is self-hosted including but not limited to email, support desk, and live chat.

5. We notify the sender that the IP address is a VPN node and is shared by hundreds of people at any given moment, so there is no way to trace the activity to any single user.

6. We received multiple subpoenas and court orders requesting subscriber information. Our response was identical to what we send in case of a DMCA related request in every case. We were never ordered to log users (although there were requests), but since we’re in Canada which has no mandatory data retention directives that apply to VPNs, we wouldn’t need to comply.

7. BitTorrent is allowed in all locations as we don’t interfere with the traffic. We request that users don’t do it in Japan and India due to more stringent providers in those regions, but it’s more of a guideline than a rule.

8. Credit cards (Stripe), PayPal, all major cryptocurrencies and various gift cards. As we store no logs of this type, there is nothing to link the payments to.

9. We support OpenVPN and IKEv2. Both are equally secure as we use the strongest encryption possible (GCM-AES-256) with both. We recommend trying IKEv2 first, as it’s faster almost in all cases. If it’s blocked on your network, then you can use OpenVPN which operates on common ports and is a lot harder to block, especially when using Stealth (Stunnel) mode. Our application tries all the protocols automatically and uses the best one for your specific network.

10. Windscribe Firewall is built into our Windows and Mac applications. It blocks all connectivity outside of the tunnel to ensure there is zero chance of any kind of leak, including but not limited to DNS leaks, IPv6 leaks, WebRTC leaks, etc.

A firewall blocks ALL connectivity outside of the tunnel. If the VPN connection drops, there is nothing that needs to be done, and not a single packet can leave the machine, since the firewall will not allow it. In geek terms, it fails closed.

11. All our servers are bare metal machines which are leased from various reputable hosting providers worldwide. As we have servers in over 100 different data-centers, listing them here would create a fairly lengthy list.

Each VPN node we operate has a recursive DNS server running on it, which is only accessible over the tunnel as it listens exclusively on a LAN IP address.

12. We have servers in 50 countries and over 100 cities. The full list is shown here. All our servers are physically where they are claimed to be, as we don’t have any fake/virtual locations.

Windscribe website

VPNBaron

vpnbaron1. We do not keep traffic logs that match an IP address with a user. We do monitor the number of active connections for the user in order to prevent unlimited connections from one subscription.

2. Our registered legal name is Hexville SRL. We’re under Romanian jurisdiction, inside of the European Union.

3. Our tools are developed in-house. To limit the concurrent connections we keep track of the active connections of users. Every user has a limited number of concurrent connections, depending on his subscription. When he connects, we subtract one. When he disconnects, we add one back. Reach zero and the service will not allow the user to connect until he disconnects one of his active instances.

To limit the brute force types of abuses, we monitor the health of the servers and limit the network priority of the obvious DDOS that might be masked through our service. SMTP abuses will also result in temporary port blocking for that service.

4. Emails and the support platform are hosted in-house. For our sales site analytics, we rely on Google Analytics. Live support is hosted by tawk.to which has a great privacy policy.

5. We designed our system in such a way that DMCA notices cannot be forwarded to our users. A diverse approach is needed to deal with this particular industry issue: from explaining that we don’t host any content to replacing IPs and servers that received multiple strikes.

6. No subpoena has been received by our company. If that happens, we’ll be sure to assist as much as we’re legally obliged. Keep in mind that we don’t have much information to provide.

7. Net neutrality is king. We allow any kind of traffic. P2P included.

8. We use Bitcoins (and many other kinds of virtual currencies: ETH, XRP, DGB, LTC ), PayPal, PerfectMoney and Credit Cards. The sales & billing platform is stored separately of the actual VPN system.

9. We use only OpenVPN protocol, one of the most secure and hard to crack protocols, with AES-256-CBC cipher, TLSv1/SSLv3 DHE-RSA-AES512-SHA, 2048 bit RSA.

On top of the OpenVPN, you can also choose one of the two anti DPI (Deep Package Inspection) protocols: “TOR’s OBFSPROXY Scamblesuit” and “SSL” that mask your VPN connection from your ISP. These protocols come handy in places that actively block VPN connections, like China, Egypt or university campuses.

10. Yes, we have an incorporated kill switch in our client and DNS leak protection.

11. We do use our own DNS and Google DNS for some servers.

Because of the nature of the industry, we consider that replacing servers and blacklisted IPs as fast as possible, having the ability to migrate from one ISP to another, and not existing in a constant physical location is a great plus. That’s why decided to rent the VPN servers.

12. At the time of writing this, we do not offer virtual locations. We offer more than 30 servers in 18 countries and we’re expanding fast. You can find the full list here.

VPNBaron website

SecureVPN.to

SecureVPNto1. We don’t log any individually identifying information. The privacy of our customers is our top priority.

2. Our service is operated by a group of autonomous privacy activists outside of “Fourteen Eyes” or “Enemy of the Internet” countries. Each server is handled within the jurisdiction of the server’s location.

3. There are no tools which monitor our customers but we use techniques which don’t require any logging to prevent the abuse of our service.

4. Our website has been entirely developed by ourselves and thus we don’t rely on external service providers.

5. We reply to takedown notices but can’t be forced to hand out information because of our non-logging policy.

6. This hasn’t happened yet, but if we were forced to identify any of our customers at a specific server location, we would immediately terminate this location. We are not going to log, monitor or share any information about our customers under any circumstances.

7. BitTorrent and other file-sharing traffic is allowed and treated equally to other traffic on all servers.

8. We offer a wide range of anonymous payment methods like Bitcoin, Dash, Ethereum, Paysafecard and Perfect Money. No external payment processor receives any information because all payments are processed by our own payment interface.

9. We would recommend OpenVPN, available in UDP and TCP mode. We are using AES-256-GCM/CBC for traffic encryption, 4096 bit RSA keys for the key exchange and SHA-512 as HMAC. These settings offer you the highest grade of security available.

10. Our VPN Client provides advanced security features like a Kill Switch, DNS Leak Protection, IPv4/IPv6 Leak Protection, WebRTC Leak Protection and many more.

11. We rent 27 servers in 20 countries and are continuously expanding our server park. During the last year we focused on replacing our 100 Mbit/s servers with high-end dedicated gigabit servers and thus the number of servers slightly decreased. It is impossible to have physical control over all widespread servers but we took security measures to prevent unintended server access. At the moment we are using the nameservers of Quad9 which offer good privacy.

12. Every server is physically located in its specified country and thus we don’t offer virtual locations. You can find our server list at the following link.

SecureVPN.to website

VPNArea

vpnarea1. We do not keep or record any logs. We are therefore not able to match an IP-address and a time stamp to a user of our service.

2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria.

3. To prevent mail spam abuse we block mail ports used for such activity, but we preemptively whitelist known and legit email servers so that genuine mail users can still receive and send their emails.

To limit concurrent connections to 6, we use our in-house developed system that adds and subtracts +1 or -1 towards the user’s “global-live-connections-count” in a database of ours which the authentication API corresponds with anonymously each time the user disconnects or connects to a server. The process does not record any data about which servers the subtracting/detracting is coming from or any other data at any time, logging is completely disabled at the API.

4. We host our own email servers in Switzerland. We host our own Ticket Support system on our servers in Switzerland. The only external tools we use are Google Analytics for our website and Zopim Live Chat.

5. DMCA notices are not forwarded to our members as we’re unable to identify a responsible user due to not having any logs or data that can help us associate an individual with an account. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service.

6. This has not happened yet. Should it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then delegate our no logs policy to the appropriate party pointing out that we’re not able to match a user to an IP or timestamp due to not keeping or recording any logs. In our six year history we’ve upheld our reputation and we believe one of the reasons such court orders don’t reach us is our clearly stated no-logs policy.

7. BitTorrent/P2P is allowed on most of our servers but not all of them. Why not? Some servers that we use are not tolerant to DMCA notices, but some of our members utilize them for other activities not related to torrenting. That is why we keep them in our network despite the inability to use P2P/torrents on them. Most of our VPN servers and locations do allow torrents and P2P. We even allow torrenting on server locations that most VPN providers don’t, such as USA and Canada.

8. We accept PayPal, Credit/Debit cards and Webmoney via third party payment processor, plus Bitcoin and Payza. We do not require personal details to register an account with us. In the case of PayPal/Payza/card payments we link usernames to their transactions so we can process a refund. We do take active steps to make sure payment details can’t be linked to account usage or IP assignments. We do not use a recurring payments system.

9. We use AES-256-CBC + SHA256 cipher and RSA4096 keys on all our VPN servers with without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination.

10. Yes, we provide both KillSwitch and DNS Leak protection for our Windows and Mac apps. Our new Android app already has DNS Leak protection and AdBlocking and within a couple of days will also have KillSwitch in the upcoming new version.

11. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users.

12. All our servers are physically located in the stated countries. A list of our servers in 70 countries can be found here.

VPNArea website

AirVPN

airvpn1. No, we don’t.

2. The name of the company is Air and it is located in Italy.

3. We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.

4. Absolutely not.

5. They are ignored.

6. The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.

7. Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.

8. Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.

We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.

9. We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.

Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.

10. Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.

11. The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).

12. We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.

AirVPN website

Trust.Zone

trustzone1. Trust.Zone doesn’t store any logs. All we need from users is just an email to sign up. No first name, no last name, no personal info, no tracking, no logs.

2. Trust.Zone is under Seychelles jurisdiction and we operate according to the law in Seychelles. There is no mandatory data retention law in Seychelles. In our jurisdiction, a foreign court order would not be enforceable and since we don’t store any logs, there is nothing to be taken from our servers. The company is operated by Extra Solutions Ltd.

3. We have no usage restriction on our service. As we don’t have any logs, we can’t track any user online activity. Trust.Zone doesn’t use any third party tools on the website. The single restriction we have is three simultaneous connections per user.

4. Trust.Zone does not use any third-party support tools, tracking systems like Google Analytics or live chats. If a user loads our website in a browser, all information like Javascript, HTML and CSS belongs to trust.zone domain only.

5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Why? Trust.Zone is under Seychelles offshore jurisdiction. There is no mandatory data retention law in Seychelles. Since we don’t store any logs, there is nothing to be had from our servers.

6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone is a VPN provider with a Warrant Canary. Trust.Zone has not received or has been subject to any searches, seizures of data or requirements to log any actions of our customers.

7. We don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers or any type of traffic whatsoever.

8. All major credit cards are accepted. Besides, Bitcoin, PayPal, Webmoney, Alipay, wire transfer and many other types of payments are available. To stay completely anonymous, we highly recommend using anonymous payments via Bitcoin.

9. Trust.Zone uses the highest level of data encryption. We use a protocol which is faster than OpenVPN and also includes Perfect Forward Secrecy (PFS). The unique feature of Trust.Zone VPN is that you can forward your VPN traffic via ports – 21(FTP) 22 ( SCP, SFTP ), 80 (HTTP), 443 (HTTPS) or 1194 (OpenVPN), most of which can’t be blocked by your ISP. Trust.Zone uses AES-256 Encryption by default. We also offer L2TP over IPsec which also uses 256bit AES Encryption.

10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with using our DNS to avoid any DNS leaks. Trust.Zone has no support for IPv6 connections to avoid any leaks. We also provide users with additional recommendations to be sure that there are no any DNS leaks or IP leaks.

11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers.

12. We are operating with 150+ servers in 30+ countries and still growing. The most popular Trust.Zone locations are France, Australia, US, Canada and UK. The full map of the server locations is available here.

Trust.Zone website

CactusVPN

cactus1. We don’t keep any logs.

2. CactusVPN Inc., Canada

3. We restrict our services with up to five devices per package for VPN connection and to unlimited devices for SmartDNS service as long as all of them have the same IP address. Abuse of services is regulated by our Linux firewall and most of the datacenters we hire servers from provide additional security measures for servers attacks.

4. No.

5. We did not receive any official notices yet. We will only respond to a local court order.

6. If we have a valid order from Canadian authorities we have to help them identify the user. Bus as we do not keep any logs we just can’t do that. We did not receive any orders yet.

7. BitTorrent and other file-sharing traffic is allowed on Netherlands, Germany, Switzerland and Romanian servers.

8. PayPal, Visa, MasterCard, Discover, American Express, Bitcoin & Altcoins, Alipay, Qiwi, Webmoney, Boleto Bancario, Yandex Money and other not so popular payment options.

9. We recommend users to use SoftEther with ECDHE-RSA-AES128-GCM-SHA256 cipher suite.

10. Yes, our apps include Kill Switch and Apps. Killer options in case a VPN connection is dropped. Also they include DNS Leak protection.

11. We use servers from various data centers.

12. USA, UK, France, Germany, Canada, Netherlands, South Korea, Australia, Poland, Japan, Switzerland, Singapore, Romania.

CactusVPN website

ShadeYou VPN

shadeyou
1. ShadeYou VPN does not keep any logs. To use our service only a username and e-mail are required. No personal or real data is required.

2. We are incorporated as DATA ACCENTS LP and operate under the United Kingdom jurisdiction.

3. Limits of concurrent connections are regulated in real time on the server side by our own developed tools without any logs kept.

4. We are using Google Analytics as a tool which allows us to improve our website and bring our users better experience. Also, we are using SiteHeart online support. But none of these tools track / hold personal information.

5. The abuse team of ShadeYou VPN answers as follows: A) We do not store any illegal content on our servers. B) Every user agrees with our privacy policy while registering, so we warned that illegal actions are prohibited and at this time we are not responsible. C) We have no any personal data of our users or any logs of their activities that can be shared with third-parties because we simply do not store it.

6. There are no any special steps since we have no logs to share and analyze. It means we can’t help with identifying the active or past user of our service. Logging activity is not acceptable for our service. We had different cases but we can guarantee that none of our users were compromised.

7. BitTorrent and any other file-sharing traffic is allowed mostly on all our servers. There are only a few exceptions (such as when traffic is limited on the servers).

8. ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, UnionPay, AliPay, MINT, CashU, Ukash also accept payments via Visa, Master Card, Maestro and Discover. Of course, Bitcoin is available. Important note: we do not store billing information which is required to improve users safety.

9. We strongly recommend using OpenVPN since it is the safest and uses the strongest encryption (TLS Protocol with 4096-bit key length and AES-256-CBC crypto-algorithm).

10. We support “Kill switches” and DNS leak protection using our desktop client.

11. All our servers are collocated around the world in data centers of different leading hosting companies. Yes, we are using our own DNS servers.

12. Here is an overview and all servers are physically located.

ShadeYou VPN website

PrivateVPN

privatevpn1. We don’t retain or log any identifiers namely IP addresses, timestamps of any sort of connections on our VPN or authentication servers, data used, the speed of connection at all. Period.

2. PrivateVPN is run by a Swedish company viz. ‘Privat Kommunikation Sverige AB’ under Swedish jurisdiction.

3. Owing to our above-mentioned privacy promise, active monitoring of our service is out of the question.

4. We use a service known as LiveAgent to provide email or ticket and live chat support. They do not hold any information about chat sessions. Chat conversation transcripts are not stored on chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email to a user, and then destroyed.

5. DMCA is not applicable to our service as it is not a codified law or act under Swedish jurisdiction. So, it is none of our business. A Swedish equivalent isn’t in the scene as of now in our jurisdiction at all.

6. As already mentioned above, we don’t retain or log any identifiers at all. So, basically even when ordered to actively investigate a user we are limited to the number of active logins which is just a numerical value. That being said, we have not received a court order to date.

7. Of course, we are not in the business of restricting and throttling things. The whole point of a user connecting to our VPN servers is to get uncensored and unrestricted Internet.

8. We support PayPal, Stripe, and Bitcoin. Alipay as a payment method is en route. We offer a 30-day money-back guarantee and in order to enforce it, we keep a track of payments linked to a user account. There is no way to link an IP address assigned from us to a user account as we do not log such data.

9. No single VPN protocol works for everyone. We support multiple VPN protocols viz. PPTP,L2TP,IPsec,IKEv2,OpenVPN,Shadowsocks(beta) and soon SSH(in labs). Our default VPN protocol on all the platforms other than iOS is OpenVPN over UDP with 256-bit AEAD ciphers when you use our VPN application.

We recommend a user with an ideal ISP to use OpenVPN over UDP/1194. In case your ISP happens to throttle default OpenVPN port 1194, you can use OpenVPN over TCP/443, which is deployed with the latest –tls-crypt that OpenVPN offers for additional privacy and very basic obfuscation of the protocol itself.

For users who love built-in VPN clients for an OS, like Windows, Mac, Blackberry, iOS etc, we recommend IKEv2. For users from UAE, Egypt, some parts of China etc, we are working on secure Shadowsocks over TCP/80 with AEAD cipher and/or SSH-based solutions to tunnel their OpenVPN traffic. Shadowsocks is already being tested and working with many happy users new and old users from Egypt & UAE. For Tor lovers, we offer a guide, help, instructions on how to connect to our OpenVPN servers over Tor for additional security and privacy.

10. Our Windows VPN App offers robust Kill switch and DNS leak protection. DNS leaks on any major platform are owing to broken installations which are fixed as soon we see a report or any issues. IPv6 leak protection is available on every platform and multiple VPN protocols. We offer guides and instructions to set up a kill switch on macOS, GNU/Linux, BSD etc and are rapidly working with our developers to add these features in our easy to use and install VPN applications.

11. We have physical control over our servers and network in Sweden. We’re only using trusted data centers with strong security. Our providers have no access to PrivateVPN’s servers and most importantly, there is no customer data/activities stored on the VPN servers or on any other system we have.

We have deployed our own multiple DNS nameservers which work from within tunnel and are automatically pushed to VPN clients upon successful connection. You are at liberty to use whatever DNS nameservers you like though. For example, if you or someone you trust hosts a server with additional security features like DNSCRYPT and DNSSEC, it is fair if you wish to use it.

12. We use a mix of physical and virtual servers depending on the demand and needs of a given location.

PrivateVPN website

OctaneVPN

octane1. No.

2. Octane Networks, LLC. US registered company.

3. We block port 25 outbound to reduce the possibility of spam. Our auth system limits concurrent connections via our custom backend.

4. We use Google Analytics for general website trends. We use Hotjar occasionally for A/B and user experience testing. Support is internal.

5. If the customer session is still connected to our service we take action. Repeat infringers must be disabled since we are a US based company and must comply with DMCA.

6. This has not happened. We would take every action we legally could to maintain the privacy of our customers. Since logs are not used, there is little information we could provide if ordered to do so by a court of competent jurisdiction.

7. Yes. We operate with net neutrality with the exception of restricting outgoing SMTP to prevent spammers from abusing the service.

8. Bitcoin, Credit/Debit Card and PayPal. IP addresses are not linked to payment details.

9. OpenVPN
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
cipher AES-256-CBC
auth SHA512

10. Our client disables IPv6 completely as part of our DNS and IP leak protection in our Windows and Mac OS X OctaneVPN clients. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection.

This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts. With a ‘kill switch’, data sent during the time between checks is potentially vulnerable to a dropped connection. Our system is proactive vs a reactive kill switch.

Customers should vigilant as other software such as JavaScript, Flash, Java and WebRTC can leak IP independently of their VPN connection. Customers might want to consider creating a profile in their web browser specifically tailored toward web browsing privacy by disabling 3rd party plugins/extensions.

11. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host. We do not do the virtual location BS you hear about sometimes. Each of our gateways acts as a DNS server for the end-user.

12. We have gateways in 45 countries and 92 cities.

OctaneVPN website

SlickVPN

1. SlickVPN doesn’t log traffic or session data of any kind. We don’t store connection time stamps, used bandwidth, traffic logs, or IP addresses.

2. Slick Networks, Inc. is our recognized corporate name. We operate a complex business structure with multiple layers of offshore holding companies, subsidiary holding companies, and finally some operating companies to help protect our interests. The main marketing entity for our business is based in the United States of America but the top level of our operating entity is based out of Nevis.

3. We block port 25 to reduce the likelihood of spam originating from our systems. The SlickVPN authentication backend is completely custom and limits concurrent connections.

4. We utilize third party email systems to contact clients who opt in for our newsletters and Google Analytics for basic website traffic monitoring and troubleshooting. We believe these platforms to be secure. Because we do not log your traffic/browsing data, no information about how users may or may not use the SlickVPN service is ever visible to these platforms.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session. Otherwise, we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we rarely receive a valid DMCA complaint while a user is still in an active session.

6. This has never happened in the history of our company. Our customer’s privacy is of topmost importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. SlickVPN uses a warrant canary to inform users if we have received any such requests from a government agency. Users can monitor our warrant canary here: SlickVPN Warrant Canary

7. Yes. All traffic is allowed. SlickVPN does not impose restrictions based on the type of traffic our users send.

8. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America (Marketing) and the other platform is operated out of Nevis (Operations).

Payment details are held by our marketing company which has no access to the Operations data. We offer the ability for the customer to permanently delete their payment information from our servers at any point and all customer data is automatically removed from our records shortly after the customer ceases being a paying member.

9. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and we use the AES-256-CBC algorithm for encryption.

10. Our leak protection (commonly called a ‘kill-switch’) keeps your IPv4 and IPv6 traffic from leaking to any other network and protects against DNS leaks. Your network will be disabled if you lose the connection to our servers and the only way to restore the network is manual intervention by the user.

11. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties unless there is enough demand in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. We’re currently in the process of deploying 10Gb connected nodes that are physically controlled by our company.

In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We periodically remount our ramdisks to remove any lingering data. Each of our access servers acts as the DNS server for customers connected to that node.

12. At SlickVPN we actually go through the expense of putting a physical server in each country that we list. SlickVPN offers VPN service in 40 countries around the world. We do not do offer virtual locations.

SlickVPN reviews

CryptoStorm

cryptostorm1. No. The only logs on our servers are security related, such as: [root@wilno ~]# tail -n1 /var/log/messages Feb 21 17:27:51 wilno kernel: grsec: exec of /usr/bin/tail (tail -n1 /var/log/messages ) by /usr/bin/tail[bash:14447] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:12336] uid/euid:0/0 gid/egid:0/0

This is so we can monitor for unauthorized commands in the unlikely event that a server is compromised by some 0day exploit. Strict privilege separation and access control is done to minimize the access any potential attackers would get if any of our services were vulnerable to a 0day exploit. None of those logs contain any customer-related data.

2. Cryptostorm consists of several different entities that are in different regions. This is so if any adversary were to put legal pressure on one of those entities, we can simply drop and replace it, along with any resources that might be under it. The names and locations of these entities are not publicly disclosed, simply to make it more difficult for any potential adversaries.

3. Abuse is mitigated by using snort’s NFQ DAQ as an Intrusion Prevention System. This allows us to block the most basic or automated attacks/scans that would violate the Terms of Service at most data centers. It also allows us to prevent basic attacks without requiring us to keep any data that could be used to identify a customer. No customer IPs ever show up in those snort alerts.

4. No.

5. Most of the data centers we’ve chosen aren’t legally required to do anything about DMCA or similar complaints. The few that are legally required to do something, are only required to forward the complaint to us. Currently, the only exception is one of our Netherlands data centers, who requires a response from us. For them, we use a template very similar to this.

If an ISP, data center, or anyone else were to request customer information related to a DMCA complaint, we wouldn’t be able to provide anything since we don’t have anything. If a data center threatens to suspend our server if we don’t comply, we simply stop doing business with that data center.

6. The locations of the entities that make up Cryptostorm were specifically chosen for their strong privacy and business laws. We wouldn’t be able to comply with any court order requesting customer information since we don’t have any information to give. If a court successfully ordered one of our entities to start collecting customer information, we would absolve any entities in that court’s region.

In the highly unlikely event that international courts coordinating together were successful in ordering all of our entities to comply, we would shut down Cryptostorm, Lavabit style. As of February 2018, we have never received any such court orders. If we were to receive any “gag orders”, our warrant canary would inform customers of its existence.

7. Yes.

8. Credit/debit card payments are accepted via PayPal and Stripe. Bitcoin is accepted through BitPay. Bitcoin, Bitcoin Cash, BlackCoin, Dash, DigiByte, Dogecoin, Ether Classic, Ether, GameCredits, Litecoin, PotCoin, Vertcoin, Monero, and Zcash are accepted through CoinPayments.net. Our anonymous token authentication system plus our no-logging policy prevents us from knowing which customers are connected to which server, or what traffic they’re generating on that server.

9. Our most secure OpenVPN instances use: SHA512 for authentication; AES-256-GCM to encrypt the data channel; TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 for the control channel, forced to TLS v1.2 to prevent downgrade attacks; Unique 4096-bit DH parameters for perfect forward secrecy; prime256v1 ECC server/CA certificates, signed with ecdsa-with-SHA512; 2048-bit static key for additional encrypting/authenticating of control channel packets.

For backwards compatibility on older devices that might not support OpenVPN 2.4.x, we also provide instances using: SHA512 for auth, AES-256-CBC for the data channel, TLS-DHE-RSA-WITH-AES-256-CBC-SHA for the control channel, and unique 2048-bit DH parameters for perfect forward secrecy.

10. We do provide firewall rule sets for IPtables, ufw, pf, etc. For Windows users, our open-source VPN client includes a kill switch.

11. We rent/lease servers at various data centers throughout the world. To account for the possibility of physical compromise (i.e., a confiscated server), each server is designed to be as disposable as possible. We don’t keep any data on the servers that can be used to identify a customer, and the data cannot be used to gain access to any other server. We do use our own DNS servers, and we also provide more secure alternatives to DNS such as DNSCrypt and DNSChain.

12. Currently, we have servers in Germany, Netherlands, Lithuania, Finland, Poland, Moldova, Spain, Latvia, Canada, England, Italy, France, Switzerland, Portugal, and eight US servers. We do not use VPS/VMs for our VPN servers. Only bare metal dedicated servers.

CryptoStorm website

WhatTheServer

1. Our OpenVPN servers are configured with “verb 0” so that they keep no logs at all.

2. What The * Services, LLC is incorporated in the USA. We have VPN servers in the USA, Germany, and the Netherlands.

3. We use a custom session management system which operates completely on real-time data and keeps no logs. The session management infrastructure (and all VPN servers) is built on top of OpenBSD and uses the services built into OpenBSD to enforce user management.

4. We run all of our own communications infrastructure. However, we do use Google Analytics on the WhatTheServer.me website.

5. We have never received a DMCA take-down notice or a non-US equivalent regarding our VPN service. However, we did receive a DMCA take-down notice regarding a website one of our customers was running on our Virtual Private Servers.

We responded by replying to the requester letting them know we were looking into it, and we notified the customer via his email on file. Then we contacted the EFF and they put us in touch with a lawyer who helped us get the case dropped, because we did not have the information requested. The customer’s identity was never revealed to the people making the DMCA take-down request, because the bill was paid in Bitcoin & a throwaway email account was used.

6. We have not yet received such a court order or subpoena for user information. However, if we do we will take several steps. First, we would consult with our lawyers to confirm the validity of the order/subpoena, and respond accordingly if it is NOT a valid order/subpoena. Then we would alert our user of the event if we are legally able to.

If the order/subpoena is valid, we would see if we have the ability to provide the information requested, and respond that we do NOT have the information requested. If we DO have the information requested, we would immediately reconfigure our systems to stop keeping that information. Then we would consult with our lawyer to determine if there is any way we can fight the order/subpoena and/or what is the minimum level of compliance we must meet, as well as, notify the user of the event if we are legally able to do so.

If we were forced to start keeping logs on our users, we would go out of business and start a new company in a different jurisdiction.

7. BitTorrent and other file-sharing traffic is allowed on all VPN/Proxy servers which are NOT located in the USA.

8. We accept PayPal, as well as Monero, Bitcoin and over 140 CryptoCurrencies and AltCoins via CoinPayments.net We encourage our users to pay with anonymous payment methods and supply false contact information. We also use a completely different authentication infrastructure and random usernames for the VPN accounts.

9. All of our OpenVPN and SOCKS Proxy servers are running OpenBSD and are using LibreSSL instead of OpenSSL. This protects our servers from a wide range of attacks on the encryption. Our OpenVPN Servers use AES-256-CBC & SHA512 HMAC for the Data Channel, and DHE-RSA-AES256-GCM-SHA384 on the Control Channel. Our OpenVPN Servers are also configured with 4096bit RSA keys and a custom 4096bit Diffie-Hellman parameters. Our SOCKS Proxy is based on OpenSSH, so they support any ciphers the client wants to use. With the OpenSSH protocol, the Client decides what cipher to use instead of the Server.

10. We push Google DNS 8.8.8.8 and 8.8.4.4 to clients. We also have ‘push “block-outside-dns”’ in our OpenVPN server config files which will prevent the client from leaking DNS requests. Additionally, we include “resolve-retry infinite” and “persist-tun” in the OpenVPN client config files which will prevent the client from sending data in the clear if the VPN connection goes down.

11. All of our infrastructure is hosted in third party colocations. However, we use full-disk-encryption on all of our servers. We use Google DNS at this time but we are currently testing alternatives.

12. We offer VPN server locations in the USA, Germany, and Netherlands.

WhatTheServer website

ibVPN

ibvpn1. We do not keep any log that can identify a user of our service with an IP address and/or a timestamp. We are getting ready to be GDPR compliant and (in our opinion) keeping this kind of logs is not respecting the Privacy by Design guidelines.

2. Company’s registered name is Amplusnet SRL. We are a Romanian company, which means we are under EU jurisdiction.

3. We limit the number of concurrent connections and we are using Radius for this purpose.

4. The back end of the website is a dedicated WHMCS for billing and support tickets. We do not use external e-mail providers (we host our own mail server). Our users can contact us via live chat (Zopim). The chat activity logs are deleted on a daily basis. There is no way to associate any information provided via live chat with the users’ account.

5. So far we did not receive any DMCA notice for any P2P server from our server list. That is normal considering that the servers are located in DMCA free zones. For the rest of the servers, p2p and file sharing activities are not allowed/supported.

6. So far, we have not received any court order. We do not support criminal activities, and in case of a valid court order, we must follow the EU laws under which we operate.

7. We have dedicated P2P servers that allows BitTorrent and other file-sharing applications. The servers are located in Netherlands, Luxembourg, Canada, Sweden, Russia, Hong Kong and Lithuania. We do not reroute P2P connections.

8. Payments are performed exclusively by third party processors, thus no credit card info, PayPal ids or other identifying info are stored in our database. For those who would like to keep a low profile, we accept BitCoin, LiteCoin, Ethereum, WebMoney, Perfect Money etc.

9. We support SSTP and SoftEther on most of the servers. We also offer double VPN and TOR over VPN.

10. Yes, Kill Switch and DNS leak protections are implemented in our VPN Clients. Kill Switch is one of the most used features. Our users can decide to block all the traffic when the VPN connection drops or to kill a list of applications. We allow customers to disable IPv6 Traffic and to make sure that only our DNS servers are used while connected to the VPN.

11. We do not have physical control over our VPN servers. We have full remote control to all servers. Admin access to servers is not provided for any third party.

12. The full list of server locations is available here.

ibVPN website

OVPN

ovpn1. Our entire infrastructure and VPN service is built to ensure that no logs can be stored – anywhere. Our servers are locked in cabinets and operate without any hard drives. We use a tailored version ofAlpine, which doesn’t support SATA controllers, USB ports etc. To further increase security, we use TRESOR and grsecurity to be resistant to cold boot attacks.

2. OVPN Integritet AB (Org no. 556999-4469). We operate under Swedish jurisdiction.

3. None.

4. For website insights, we use Piwik, an Open Source solution that we host ourselves. The last two bytes of visitors’ IP addresses are anonymized; hence no individual users can be identified. For support, we use an internally built system.

The mail server is hosted by Glesys, a trusted provider in Sweden. Automatic emails from the website are sent using Mailgun, but we never send any sensitive information via email. Zendesk chat is used for live chat, which we will eventually migrate from when we’ve built a satisfactory in-house solution.

5. Since we don’t store any information, such requests aren’t applicable to us.

6. We can’t provide any information to the court. A court wouldn’t be able to do that [require logging] in our jurisdiction – but in case it did happen we would move the company abroad.

7. Yes.

8. We offer PayPal, credit cards (via Braintree), Bitcoin (via Bitpay), cash in envelopes as well as a Swedish payment system called Swish. We never log IP addresses of users, so we can’t correlate an IP address to a payment.

9. We offer AES-256-GCM. In terms of connection, we recommend using our Multihop add-on.

10. Yes.

11. Yes. We own all the servers and routers, and they’re co-located in various data centers in locked cabinets.

12. USA, Germany, Sweden, United Kingdom, the Netherlands, Canada and Norway. No virtual locations are offered.

OVPN website

Mullvad

VPN review1. No, all details are explained in our no-logging data policy.

2. Amagicom AB, Sweden.

3. We limit the number of simultaneous connections to five per account. This is monitored in real time by our VPN servers which report this information to our central service. When a customer connects to one of our servers, the server asks the central service if the account has reached its connection limit. As we do not save this information, we cannot, for example, tell you how many connections your account had five minutes ago.

4. We have no external elements at all on our website. We do use an external email provider; for those who want to email us, we encourage them to use PGP encryption which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. From time to time, we are contacted by governments asking us to divulge information about our customers. Given that we don’t store activity logs of any kind, we have no information to give out. So far this has never happened.

In addition, we do not believe that it’s possible for Swedish law to order us to actually give out information about our users. Not that we would anyway. We started Mullvad for political reasons and would rather discontinue the service than have it work against its purpose.

7. All traffic is treated equally, therefore we do not block or throttle BitTorrent or other file-sharing protocols.

8. We accept cash, Bitcoin, Bitcoin Cash, bank wire, credit card, PayPal, and Swish. We encourage anonymous payments via cash or one of the cryptocurrencies. We run our own full node in each of the blockchains and do not use third parties for any step in the payment process, from the generation of QR codes to adding time to accounts. Our website explains how we handle payment information.

9. On Windows, macOS, and mobile, we offer OpenVPN with RSA-4096 and AES-256-GCM. On Linux, we also offer WireGuard which uses Curve25519 and ChaCha20-Poly1305. We also offer an experimental post-quantum secure VPN tunnel using WireGuard and NewHope.

10. We offer a kill switch and DNS leak protection, both of which are supported in IPv6 as IPv4. While the kill switch is only available via our client/app, we also provide a SOCKS5 proxy that works as a kill switch and is only accessible through our VPN.

11. Yes, we use our own DNS servers.

12. Our website has an up-to-date server list.

Mullvad website

AceVPN

ace1. We do not log period. No meta-data logging, no traffic logging, no bandwidth usage tracking. We do not have any hidden fair usage policy. We respect our users’ privacy. We do not store any personal or billing information on VPN servers. IP’s are shared amongst users and our configuration makes it extremely difficult to single out any user.

2. We are registered in USA and operate as AceVPN.com

3. We have developed tools to mitigate abuse.

4. We use Google Analytics on www.acevpn.com (marketing site). We do not track proxied pages. We use G Suite for email. Emails are deleted regularly.

5. If we receive DMCA takedown, we block the port mentioned in the complaint. IPs are shared by other users and our configuration makes it extremely difficult to single out any user. We do not share any information with third parties.

6. To date, we have not received a court order. We only store billing information which the payment processor or bank or credit card issuer has.

7. We have special servers for P2P and are in datacenters that allow such traffic. These servers also have additional security to protect privacy when p2p programs are running. We do not reroute traffic as this require inspecting and analyzing traffic which contradicts with our no logs policy.

8. We accept Paypal, Bitcons and Credit cards for payments. We store billing information on a secure server separate from VPN servers and do not track usage nor IP assignments.

9. Both our IKEv2 and OpenVPN supports Elliptic curve cryptography (ECC) which we recommend for secure connectivity. To give an idea, 384 bits ECDSA is equivalent to RSA 7680 bits. Higher the bits, more secure it gets.

10. Yes, we do provide kill switches if a connection drops. Our servers are tested for DNS leak.

11. We have full control over our servers. Servers are housed in reputed datacenters. Many of them are ISO certified and are designed to the highest specifications for performance, reliability and security. We operate our own DNS servers (Smart DNS) for streaming videos. For VPN, we use Google, OpenDNS and Level3 DNS.

12. We have servers in 26+ countries and over 50+ locations /datacenters. USA, Brazil, Canada, Mexico, Denmark, Egypt, France, Germany, Ireland, Italy, Japan, Latvia, Luxembourg, Netherlands, Norway, Romania, Russia, Spain, Sweden, Switzerland, Turkey, UK, Hong Kong, Singapore, Australia, and South Africa.

AceVPN website

BlackVPN

VPN review1. No. We purge all this information when the user disconnects from the VPN.

2. The name of the company is BLACKVPN LIMITED and is registered in Hong Kong and operates under the jurisdiction of Hong Kong.

3. Most of the time we use iptables to manually monitor and mitigate abuse, but in some special and complicated cases we have used fwsnort and psad to detect hacking and spamming from our platform. Limiting concurrent sessions is done through built in functionality in FreeRadius.

4. We run our own email server plus support and live chat systems using open source tools. We use StreamSend for sending generic welcome and renewal reminder emails, as well as for the occasional news updates. We have Twitter widgets on our frontpage that may track visitors. We use our own website analytics (Piwik) where we only save anonymous IP data.

5. We block the port in the firewall on the server listed in the notice.

6. If we received a valid court order from a Hong Kong court, then we would be legally obliged to obey it. So far this has never happened.

7. Bittorrent traffic is not restricted in our Privacy VPN locations, but due to stricter enforcement of DMA notices in the USA and UK we restrict most BitTorrent traffic and only whitelist torrents of known open source software.

8. PayPal and PaymentWall for Credit Cards, Bank Transfers and Prepaid cards. Coingate for all kind of Cryptocurrencies. The transaction details (ID, time, amount, etc) are linked to each user account.

9. We recommend to use IKEv2 or OpenVPN for the most secure VPN connection. We support the very secure GCM cipher mode (AES-256-GCM) together with 4096 bit RSA and Diffie Hellman keys. We also enforce DHE/ECDHE enabled cipher suites and key exchange is done with Diffie-Hellman, providing forward secrecy.

10. For OpenVPN, we stop IPv6 and DNS leaks with the OpenVPN config, and we also disable and blackhole all IPv6 traffic server side. Our custom VPN app provides 100% IPV6 and DNS leak protection client side and we are working on adding a 100% working kill switch there soon.

11. We use dedicated servers which are hosted in 3rd party data centers, but they do not have access to login or manage the server. We run our own DNS servers which do not save any logs. Among others we use Steadfast, i3D, Zenex5ive, Worldstream, Evoluso, Estnoc,Amanah, Voxility, Rackend, CherryServers.

12. We do not now offer virtual locations. Our servers are in USA, UK, Australia, Brazil, Canada, Czech Republic, Estonia, France, Germany, Japan, Lithuania, Luxembourg, Netherlands, Norway, Romania, Spain, Switzerland and Ukraine.

BlackVPN website

Perfect Privacy

pplogovpn1. We do not log or store any traffic, IP addresses or any other kind of data that would allow identification of our users or their activities. The anonymity and privacy of our users is our highest priority and the Perfect Privacy infrastructure was built with this in mind.

2. Perfect Privacy is operated by Vectura Datamanagement, registered in Zug, Switzerland.

3. The primary method to mitigate abuse is reacting to email tickets. In case of malicious activity towards specific targets, we block IP addresses or ranges so they are not accessible from our VPN servers. Additionally, we have limits on new outgoing connections for protocols like SSH, IMAP, and SMTP to prevent automated spam and brute force attacks. We do not limit or keep track of the number of connections per user.

4. All email and support tools are developed and hosted in-house under our control. We use Google Analytics for website optimization and better market reach, but with the anonymizeIp parameter set. However, Perfect Privacy users are exempted from any tracking by Google Analytics and are also able to use our TrackStop filter which will block any tracking (as well as ads and known malware domains) directly on our servers.

5. Because we do not host any data, DMCA notices do not directly affect us. However, we do receive copyright violation notices for file-sharing in which case we truthfully reply that we have no data that would allow us to identify the responsible party.

6. The only step on our side is to inform the contacting party that we do not have any data that would allow the identification of a user. There had been incidents in the past where Perfect Privacy servers have been seized but never was any user information compromised that way. Since no logs are stored in the first place and additionally all our services are running within ramdisks, a server seizure will never compromise our customers. In August 2016 Dutch Authorities seized two of our servers in Rotterdam and no user data was compromised.

7. Yes, BitTorrent and other file sharing is generally allowed and treated equally to other traffic. However, at certain locations that are known to treat copyright violations rather harshly (very quick termination of servers) we block the most popular torrent trackers to reduce the impact of this problem. Currently, this is the case for servers located in the United States and France.

8. We offer a variety of payment options ranging from anonymous methods such as sending cash, or Bitcoin. However, we also offer payment with PayPal and credit cards for users who prefer these options. Because we do not monitor or log IP assignments or account usage, there is no link to the payments.

9. While we offer a range of connection possibilities we would recommend using OpenVPN with 256 bit AES encryption. Additional security can be established by using a cascaded connection over up to four hops and by activating NeuroRouting for optimized routing to keep all traffic in the encrypted VPN network as long as possible.

10. Our VPN client versions for Windows and MacOS both have “kill-switch” functionality (firewall protection against IP and DNS leaks) integrated.

11. All our VPN servers are dedicated servers that run in various data centers around the world. While we have no physical access to the servers, they all are running within RAM disks only and are fully encrypted. We operate our own DNS servers.

12. Currently, we offer servers in 23 countries. All servers are located in the city displayed in the host name – there are no “virtual locations”. For full details about all servers locations please check our server status site as we are constantly adding new servers.

Perfect Privacy website

VPN.ht

1. We keep 0 logs about usage or to match IP-Timestamp to a user.

2. VPN.ht Limited, a Hong Kong Company

3. We allow five concurrent connections with the same UserID.

4. Google Analytics.

5. We do not handle DMCA notices, our data center partners do, and in all cases we do not keep logs so we cannot identify the customer.

6. We will stop updating our Warrant Canary. It has never happened before.

7. Allowed on all our servers.

8. We accept various payment methods: Credit card / PayPal / Cryptocurrency / Other national payments. All are linked by an email.

9. For general use 128bit AES, but we do offer 256bit AES as maximum encryption level.

10. On the next application update.

11. We don’t, but we do have a strong relationship with our partners who operate data centers.

12. We have 127 servers in around 33 countries and we try our best to expand to locations most requested by our customers.

VPN.ht website

VPN Land

1. We store only payment IP addresses for the reasons of fraud prevention, applies to Credit Card and PayPal payments. We don’t record or store information about what our clients do online and it is practically impossible to reverse track an external IP with a timestamp back to a real user.

2. VPNLand Inc., Canada

3. We use custom modified Radius databases to limit concurrent connections. We have AVs installed on all servers, and obvious known attacks are blocked at the firewall level.

4. We use ZenDesk (former Zopim online chat) online chat. Email and support databases are all in-house.

5. Ignored

6. We haven’t received any court order, thankfully. If there is a court order it will be evaluated first and then any action will be taken.

7. P2P is OK on all our VPN servers, except the US ones

8. We use Stripe, PayPal, PaymentWall, BitPay. As said above – IP addresses are logged only for fraud prevention purposes. Payment details are not linked to account usage

9. OpenVPN with AES-256-CBC key, SHA512 Hash Auth, and additional 2048 bit “tls-crypt” key

10. At this moment no, but the work is in progress and with our updated iOS, Android, Windows and Mac apps a “kill-switch” feature will be offered

11. We own half of our infrastructure in Canada, UK and Netherlands. In other countries we rent dedicated servers from hosting companies.

12. USA, Canada, UK, Netherlands, Germany, France, Sweden, Italy, Belgium, Luxembourg, Russian Federation, Singapore, Korea and Japan. VPN Land has no “virtual locations.”

VPN Land website

BolehVPN

bolehvpn1. We do not keep any logs on our VPN servers that would allow us to do this.

2. BV Internet Services Limited, in the Seychelles.

3. Generally, we just look at network graphs and number of connections and see if there is any abnormal activity. We also block certain sensitive ports that are often used for hacking/spamming.

4. We use Zendesk to deal with support queries and do track referrals from affiliates. We also provide the option to send us PGP encrypted messages via e-mail and also Zendesk. We do not use Cloudflare.

5. We generally find providers that are friendly towards such DMCA notices or where it cannot be avoided, we just keep them as surfing/streaming servers with P2P disabled. These servers are more for geo-location or general purpose surfing rather than P2P. We at no times give out customer information to handle this.

6. We maintain a warrant canary which we do update once a month or when there is a request for information (even if we have not complied with it).

7. We marked a few servers as surfing-streaming, as they are on providers with strict DMCA requirements. All other servers support P2P and are not treated differently from any other traffic.

8. PayPal, Paymentwall, Coinpayments, Paydollar, MolPay, Z-Coin/Z-Cash, direct bank-in and we also accept direct Bitcoin/Dash payments.

9. We recommend OpenVPN, with our Cloak servers running AES-256 bit encryption as well as an XOR patch that obfuscates your traffic. This obfuscation prevents it from being recognized as VPN traffic.

10. Yes we do. Our leak prevention also includes IPv6.

11. They are bare metal boxes hosted in various providers. We use our own DNS servers.

12. Canada, France, Germany, Italy, Japan, Luxembourg, Malaysia, Netherlands, Singapore, Sweden, Switzerland, United Kingdom and USA.

BolehVPN website

SaferVPN

1. No logs, timestamps or IP addresses are kept whatsoever. At SaferVPN, we guarantee that we will never log your browsing activity, data, or IP addresses. This includes any websites you visited, any data you may have downloaded, shared or viewed, and any of your IP address or DNS queries.

In respecting everyone’s right to privacy, we also encrypt all of your data traffic, never share or sell any of your traffic details, never read your traffic, and never identify which traffic is yours.

2. SaferVPN operates under our Safer Social Limited company, under Israeli jurisdiction. Israel has strict privacy regulations which do not include a mandatory data retention policy and only apply specifically within the state.

3. Firstly, we do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse. In addition, we also limit our simultaneous connections to five devices per user.

4. We use standard business tools including Google Analytics to improve our website and provide users with the most relevant information. We also use Zendesk as a secure third-party support platform and SendGrid for transactional emails. Our users’ information is never stored within these apps, rather in a separate proprietary database used solely for support and billing requirements.

Any information about how our customers use the VPN itself (such as browsing history, traffic data or DNS queries) is never revealed to third parties and is never logged or stored by SaferVPN.

5. We have not received any court orders as of yet, but in the case that we would be served with one, we would not be able to offer any information at all. We do not log IP addresses nor browsing activity, and we cannot match any activity to real IP addresses, even if we were asked by the court. We simply don’t have that data.

6. See above.

7. BitTorrent and other file-sharing traffic is welcome on our Dutch (NL) VPN servers without any throttling. It isn’t allowed on our other servers as stated in our Terms of Service, due to our agreements with data centers.

8. Our customers can pay via credit card, PayPal and Bitcoin. Payments are performed exclusively by third-party processors — BlueSnap for credit cards, PayPal for PayPal and CoinBase for Bitcoin — who only get the necessary data to verify the payment. As we don’t monitor account usage, payment details cannot be linked to any IP assignments.

9. In most cases we recommend (and default to) OpenVPN UDP and our cipher suite of AES-256 + RSA4096 + SHA256. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers. We use TLS 1.2 on all servers with enabled Perfect Forward Secrecy keys. At the same time, we also offer a wide range of VPN protocols, including OpenVPN, L2TP, IPsec, OpenConnect/AnyConnect (SSL VPN), and iKEV2 – we still offer PPTP for those of you who need it, but we don’t recommend it.

10. SaferVPN provides both an automatic app-level kill switch and a feature for DNS leak protection across all mobile and desktop platforms. We also ensure that our users enjoy Automatic Wi-Fi Security that activates immediate VPN protection across public Wi-Fi hotspots.

11. We use dedicated servers at premium data centers with strong security practices. Due to our special server configuration, no one can access, retain or collect any data. All servers have been set up with a zero logs policy, ensuring that no customer data nor activity is stored on any VPN server.

12. Our servers are physically located in over 34 countries, and across every continent except Antarctica (we’re working on that!).

SaferVPN website

HeadVPN

1. We DO NOT keep any logs. We do not store logs relating to traffic, session, DNS or metadata.

2. We’re registered in the United Kingdom under the name “HEADVPN LTD”

3. We use a pre-configured firewall which is configured by our own technology.

4. Google is the one mail external based system we use. We make standard use of Google Apps and Google Analytics. Of course, we provide 24/7 Live Chat support (powered by Tawk). All other support tools are kept internal for our users and visitors.

5. Since we don’t keep any information on any of our servers there is nothing that we can take down. If we receive a valid DMCA notice we can only take action if the connection is still active (we notify the user and stop the session).

6. We haven’t received any court orders. If that happens, the agency will be informed that no user information is available as we DO NOT keep log. In our practice this was not the case.

7. Yes, we allow P2P/BitTorrent downloading. For P2P/Bittorent traffic we have special VPN servers (which are located in a data center that allows such traffic). On other VPN servers, P2P/Bittorent traffic is blocked.

8. We accept all forms of Credit/Debit cards payments through the Stripe payment gateway, Bitcoins, QIWI, Yandex.Money, WebMoney, AliPay, CashU, iDeal, PaySafecard, and PayPal payment method. We do not store any billing information such as credit cards or addresses.

9. We provide all kinds of encryption methods, including PPTP, L2TP/IPsec, SSTP, OpenVPN and SoftEther protocols. We recommend using OpenVPN protocol as it’s the most secure and using RSA 4096 bit and AES 256 bit encryption keys.

10. We do not offer DNS leak protection via kill switches. DNS leak protection is best handled by using OpenVPN protocol (AES-256-CBC algorithm for encryption).

11. All our VPN servers are hosted in 3rd party data centers with the highest specifications for performance, reliability and security. We have direct access to each server and they all are running within RAM disks (which are fully encrypted).

12. Our VPN servers are located in the United Kingdom, United States, Germany and Netherlands. We do not offer virtual locations.

HeadVPN website

Zenmate

1. No, we do not keep any such logs. We do not monitor the bandwidth usage, nor the websites that users visit.

2. ZenMate is incorporated under the legal entity “ZenGuard GmbH”, registered and operating under German jurisdiction. Germany is known for its strict internet privacy and security laws, we are therefore bound to Germany’s data privacy rules. The latter are reflected in the company’s strict privacy policies, which are followed rigorously.

3. All of our VPN systems and tools that are used to prevent abuse are proprietary and maintained in-house.

4. For user support we use ZenDesk that holds the email address the user provided us and a name if the user added that to the support ticket. For our website we do use Google Analytics, but with the “anonymize_IP” setting enabled.

5. We answer that due to the absence of any user-related data in regards to the usage with ZenMate we cannot give any support to these authorities, as this kind of data is not logged.

6. Due to the absence of any log data we cannot give any historical data to these authorities. As of now, no judge was ever willing to sign a court order to make us start logging (in general, without a specific suspicion) in the future, as this would result in a breach of several other German/European laws. We therefore have been successfully defending our users’ rights for now more than five years, without having to fear any change anytime soon.

7. Yes, we allow all traffic on all servers – as we do not have any control over the user’s traffic at all.

8. We offer a variety of payment methods depending on the country you are located in. Among others, we support payments via VISA, MasterCard, American Express, PayPal, Sofort Banking. We do not process payments on our own. We contracted with Adyen B.V. as our payment provider for the processing of payments – who is fully PCI DSS and PCI SAQ compliant.

We do not have a linked connection between payment details (which is on Adyen’s side) and account usage (which we do not log) or IP assignment (which happens completely automatically), as these are completely different systems at two different companies.

9. We use the latest TLS 1.2 (RFC 5246) protocol and support different cipher suites with PFS (Default for Chrome is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) and up to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. No known attack currently target these cyphers. AES 128 is preferred to AES 256. There have been discussions on whether AES 256 extra security was worth the cost, and the result is far from obvious. At the moment, AES 128 is preferred, since it provides bulletproof security, it is really fast and seems to be more resistant to timing attacks.

10. Yes, we provide kill switches in the browser extensions, Windows and Android.

11. We work with a small number of trusted partners that operate premium data centers with strong security practices. Nevertheless, due to the high encryption and the zero-logging policy even at an unauthorized access, the attacker could not get any information about the activity of a specific user, as there is none on our VPN servers.

12. With ZenMate you can relocate your IP address to hide your real location and circumvent network restrictions to unblock geo-restricted sites.

We are currently offering over 30 different country locations to choose from, for example: Germany, Romania, Hong Kong, United States, Austria, Australia, Belgium, Bulgaria, Canada, Czech Republic, Finland, France, Israel, Italy, Japan, Latvia, Luxembourg, Moldova, Netherlands, Norway, Poland, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.

Zenmate website

Buffered

1. We do not keep any logs that can link a user to a certain IP address. We keep anonymized logs of some usage so that we can improve the service. No single user can ever be identified.

2. We are incorporated in Gibraltar as Buffered Ltd. All card payments are taken via this entity. We take payments on PayPal via our Hungarian subsidiary, which is fully owned by the Gibraltar company.

3. Our own internal tools monitor how many devices a user has connected.

4. We do not use any external email providers, we only use internal traffic analytics (no Google Analytics or any other tracking). We use Livechat.com for live support.

5. We are not a content provider, but a network/transit service, therefore DMCA requests are not applicable to us. If we do receive one we do not attempt to identify the user (since we cannot anyway).

6. This has not happened.

7. Yes, we do not interfere with traffic in this way.

8. We use Checkout.com and PayPal, and Bitpay for bitcoin payments. Since we do not store usage logs of users this cannot be linked to payment providers, however, users should be aware that paying for a VPN with anything other than bitcoin will make it easy to identify that you have at least paid for that particular VPN.

9. Even though blowfish is sufficiently secure, now with hardware-accelerated AES, this is faster than blowfish. Consequently, we are rolling this out everywhere as it greatly improves battery consumption and security, especially in resource-constrained environments like routers and mobiles.

10. Yes we do, we recently released a firewall based killswitch. It blocks all traffic in case of the VPN connection dropping.

11. We use our own DNS servers. We rent servers across the world from providers like Leaseweb and 100TB.

12. We offer connections in 45 countries, and there are no virtual locations.

Buffered website

VPN providers With Some Logs

Seed4.me

seed4me1. We do not analyze or DPI traffic. We also do not keep logs on VPN nodes. General connection logs are stored on a secure server for seven days to solve network issues if there are any (for example if VPN IP is blocked in China and needs replacement). These logs are deleted after seven days if there are no network problems.

2. Taiwan. Seed4.Me Inc. We are not aware of any legislation requiring to share client information and we are not aware of any precedents in Taiwan, where client information was disclosed. We do not hold much information anyway. On the other hand, we do not welcome illegal activities which potentially harm other people.

3. We use simple firewall rules to avoid some abuses in advance. Regarding concurrent connections: we do not have any limits when Client uses our Windows, MAC, iOS or Android app. When Customer sets up L2TP/PPTP VPN manually he has one simultaneous connections by default, this number can be increased and it’s totally free. We use our own solution to manage abusive accounts and limit concurrent L2TP/PPTP connections.

4. Currently, we utilize Google Analytics and G Suite (ex. Google Apps). Regarding G Suite, we do not store any sensitive information there, only support issues.

5. In case of abuse we null route the IP to keep ourselves in compliance with the DMCA. Currently, we use simple firewall rules to block torrents in countries where the DMCA applies.

6. We will act in accordance with the laws of the jurisdiction, only if court order comes from a jurisdiction where the affected server is located. Fortunately, as I said before, we do not keep any logs on VPN nodes, on the other hand – we do not encourage illegal activity. This never happened.

7. Torrents are allowed on our VPN servers in Switzerland, Sweden, and Latvia. This is torrent-friendly countries with high-quality data centers and networks.

8. We accept Bitcoin, PayPal, Visa, MasterCard, Webmoney, QIWI, Yandex.Money, Bank transfer and In-App purchases in our mobile apps. We do not store sensitive payment information on our servers, in most cases payment system simply sends us a notification about successful payment with the amount of payment. We validate this data and grant access to VPN. BTW, we do not require name of the cardholder when he pays for the VPN in our desktop app.

9. Obfuscated OpenVPN with 2048-bit key will be a good choice, it’s available in our Desktop and Android apps. Also our iOS App has Automatic protection option that guarantees for example that all outgoing connections on open Wi-Fi will be encrypted and passed through secure VPN channel.

10. Yes, we have a kill switch in our Desktop VPN app. Yes, we provide DNS leak protection in our Desktop VPN app.

11. All servers are remotely administered by our team only, no outsourcing. No data is stored on VPN nodes (if the node is confiscated, there will not be any data). We prefer to deal with trustworthy Tier-3 (PCI-DSS) data centers and providers to ensure reliable service with high security. As for DNS, we use Google, users can override these settings with their own.

12. Currently we offer VPN nodes in 21 location: USA, UK, Canada, France, Russia, Switzerland (torrent-friendly), Sweden (torrent-friendly), Belgium, Ukraine, Latvia (torrent-friendly), Bulgaria, Netherlands, Spain, Germany, Italy, India, Hong Kong, Singapore, Israel, Taiwan and South Korea.

We offer one virtual location. Currently, we try not to fake IP locations and provide real IPs directly from the country where the VPN server is physically located.

Seed4.me website

VPN.ac

vpnac1. We keep connection logs for one day to help us in troubleshooting customers’ connection problems but also to identify attacks (e.g. bruteforce, account theft). This information contains IP address, connection start and end time, protocol used (including port) and amount of data transferred.

2. Netsec Interactive Solutions SRL, registered in Romania.

3. There are automated firewall rules that can kick-in in the event of some specific abusive activities, manual intervention can be done when absolutely necessary in order to maintain the infrastructure stable and reliable for everyone. Concurrent connections are limited by the authentication back-ends.

4. No.

5. We are handling DMCA complaints internally without involving the users (i.e. we are not forwarding anything). We use shared IP addresses so it’s not possible to identify the users.

6. It never happened. In such event, we would rely on legal advice.

7. It is allowed.

8. All major cryptocurrencies, PayPal, credit cards, Perfect Money, several country-specific payment methods, gift cards. Payment with cryptocurrencies can be anonymous.

9. OpenVPN using Elliptic Curve Cryptography for Key Exchange (ECDHE, curve secp256k1) is used by default in most cases. We also support RSA-4096, SHA256 and SHA512 for digest/HMAC. For data encryption we use AES-256-GCM and AES-128-GCM.

10. Yes, such features are embedded in our client software.

11. We have physical control of our servers in Romania. In other countries, we rent or collocate our hardware. We use our own DNS resolvers and all DNS traffic between VPN gateways and DNS resolvers is encrypted.

12. We don’t use “virtual locations”. All servers are physically located in several countries (and growing), such as: Australia, Canada, Switzerland, Germany, Spain, Finland, France, Hong Kong, Italy, Japan, South Korea, Lithuania, Luxembourg, Mexico, Netherlands, Norway, Poland, Portugal, Romania, Sweden, Singapore, Taiwan, UK, USA.

VPN.ac website

IronSocket

ironsocket1. We keep limited session logs for all of our services. These logs record the duration of a connection, the IP address used for the connection and the number of bytes transferred.

These logs are typically kept for 72 hours, usually less, after which they are purged. We log this data for fraud and abuse detection/prevention. Since we use shared IPs on our servers, and do not log activity, it is difficult to associate specific activity with individual users.

2. IronSocket is owned and operated by Pusa and Daga Hong Kong Limited in the jurisdiction of the Hong Kong Special Administrative Region.

3. We do not use any third-party email providers or support tools. We use Google Analytics and HasOffers which have minimal visitor tracking information used for website usage reporting and management of our affiliate program, respectively.

4. IronSocket is not subject to the DMCA or any international equivalent. We do NOT host any user-uploaded content on any of our servers. While IronSocket is not subject to DMCA, some of our hosting and data center partners reside in locations that are. If they escalate a DMCA notice to us, we reply to the provider that we are a service provider like them, and that we do not log our user’s activity.

5. This has not happened. It is our policy to cooperate with legal orders that are valid under Hong Kong SAR law. The process to address such request is: (A) Verify the order is legal and valid. (B) Consult with legal counsel to determine what we are required to provide. (C) Determine if we have the data being requested.

Because of our privacy policy, terms of service, shared IP usage, and anonymous payment methods, it would be difficult to impossible to associate a specific activity with an individual user.

6. P2P traffic is allowed on servers in countries where such traffic is not restricted. We do not allow P2P on all servers due to the legal pressure on the data centers in certain regions of the world. All traffic is treated equally on our network.

7. We accept credit / debit card payments via SafeCharge and PayPal. Bitcoin transactions are processed by BitPay and major US brand gift cards are handled by PayGarden. We do not collect sensitive payment information. Any sensitive payment information is maintained by each respective payment processor and is linked by a unique transaction number.

8. OpenVPN with strong encryption: AES 256-bit encryption with SHA256 message authentication, using a 4096-bit key for secure authentication.

9. We are currently beta testing a new client for Microsoft Windows systems that offers DNS leak protection and VPN drop protection. VPN drop protection has the option of killing specific applications or the system’s network connection.

10. We are currently beta testing a new client for Microsoft Windows systems that offers support for the OpenVPN, L2TP, and PPTP VPN protocols.

11. We host and maintain our own DNS servers. We manage all our VPN servers but they are hosted and maintained by third-party data centers. We vet all providers prior to engaging their services and we continuously evaluate the quality of service and responsiveness to our requirements and requests.

12. We have hundreds of servers in 38 different countries and are always adding more. The most up-to-date list can be found here.

IronSocket website

—–

Note: several of the providers listed in this article are TorrentFreak sponsors. We reserve the first three spots for our sponsors, as a courtesy.

VPN providers who want to be in future question rounds are free to get in touch.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and more. We also have VPN discounts, offers and coupons

[from http://ift.tt/148uEe4]

No comments: